How to set up OpenVPN on Linux as a client

Do you want to install OpenVPN on Linux as a client and route specific routes through the VPN or the normal route?

In this practical and technical step-by-step guide, we'll walk you through how to configure OpenVPN as a client on popular Linux distributions. The goal is to provide sample files, up/down scripts for managing routes, Split-Tunneling and IP bypassing methods, and tips for username/password authentication.

Prerequisites

Before you begin, make sure you have the following:

• Linux system (Ubuntu/Debian/CentOS/Fedora/Alma)
• Closed openvpn Installed
• Server configuration file or file .ovpn From the VPN provider
• Username/password in case of combined authentication (user/pass + cert)

OpenVPN installation

Installation commands for common distributions:

sudo apt update && sudo apt install openvpn
sudo dnf install openvpn

Basic setup (manual execution)

If the file client.ovpn If you have it, use this command to run it immediately:

sudo openvpn --config client.ovpn

If the server uses username/password and you don't want to enter it every time, create a credentials file:

sudo tee /etc/openvpn/credentials <<'EOF'
myuser
mypassword
EOF
sudo chmod 600 /etc/openvpn/credentials

In the file .ovpn The following line must exist or be added:

auth-user-pass /etc/openvpn/credentials

Security tip: From auth-nocache Use to prevent OpenVPN from caching the password in memory:

auth-nocache

Default route control: default server behavior

The default behavior of routes is often determined by the server:

• If the server redirect-gateway def1 If you push, all your traffic will go through the VPN (Full Tunnel).
• To prevent the server from accepting the default route, you can use route-nopull Use and then manually add the required routes.

Method 1 — Send only some IPs through VPN (Split tunnel)

If you want only specific addresses to be sent through the VPN, use route-nopull In the file client.ovpn Use and add the desired routes.

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

route-nopull

route 203.0.113.45 255.255.255.255
route 198.51.100.0 255.255.255.0

Explanation: With route-nopull No routes are accepted from the server and you are stuck with the lines route You route specific destinations through the VPN.

Method 2 — All traffic through VPN, but a few specific IPs go through the normal route (Bypass)

When the server redirect-gateway def1 pushes and you want some specific addresses to pass through the default (Internet) route, you need to save the default gateway and rewrite the bypass routes.

A) Save the original gateway before connecting

Sample commands to get the default gateway and device before connecting:

GW=$(ip route show default | awk '/default/ {print $3}')
DEV=$(ip route show default | awk '/default/ {print $5}')

After rising tun0, re-add the IPs you want to bypass via GW:

sudo ip route add 203.0.113.0/24 via $GW dev $DEV
sudo ip route add 8.8.8.8/32 via $GW dev $DEV

b) Automate with up/down script

In client.ovpn Add the following lines to run the scripts:

script-security 2
up /etc/openvpn/client-up.sh
down /etc/openvpn/client-down.sh

Example /etc/openvpn/client-up.sh:

#!/bin/bash
echo "$(ip route show default | awk '/default/ {print $3, $5}')" > /var/run/openvpn.origgw
GW=$(awk '{print $1}' /var/run/openvpn.origgw)
DEV=$(awk '{print $2}' /var/run/openvpn.origgw)
ip route add 8.8.8.8/32 via $GW dev $DEV
ip route add 203.0.113.45/32 via $GW dev $DEV
exit 0

Example /etc/openvpn/client-down.sh:

#!/bin/bash
GW=$(awk '{print $1}' /var/run/openvpn.origgw)
DEV=$(awk '{print $2}' /var/run/openvpn.origgw)
ip route del 8.8.8.8/32 via $GW dev $DEV || true
ip route del 203.0.113.45/32 via $GW dev $DEV || true
rm -f /var/run/openvpn.origgw
exit 0

Don't forget to run the scripts:

sudo chmod +x /etc/openvpn/client-up.sh /etc/openvpn/client-down.sh

Method 3 — Policy-based Routing

You can use policy-based routing to direct source-specific traffic through the VPN.

echo "200 vpnroute" | sudo tee -a /etc/iproute2/rt_tables
sudo ip rule add from 10.0.0.5/32 lookup vpnroute
sudo ip route add default dev tun0 table vpnroute

To find information tun0 And virtual gateway:

ip -4 addr show dev tun0
ip route show dev tun0

Connecting with systemd (autostart)

For configuration files in the path /etc/openvpn/client/ You can run the systemd unit:

sudo systemctl start openvpn-client@client
sudo systemctl enable openvpn-client@client
sudo journalctl -u openvpn-client@client -f

DNS and name resolution problems

If DNS is pushed by the server, some distributions require a script update-resolv-conf or coordination with systemd-resolved You have.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

In systems that systemd-resolved They may require additional configuration.

Complete client.ovpn example (sample)

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256

auth-user-pass /etc/openvpn/credentials
auth-nocache
route-nopull

route 203.0.113.45 255.255.255.255
route 198.51.100.0 255.255.255.0

script-security 2
up /etc/openvpn/client-up.sh
down /etc/openvpn/client-down.sh

Security and operational tips

• Create the credentials file with chmod 600 Protect.
• From the client certificate and tls-auth/tls-crypt Use to prevent simple DoS.
• From auth-nocache Use to avoid caching the password in memory.
• Keep OpenVPN up to date and use modern Cipher/Hash like AES-256-GCM Or CHACHA20 Use.
• Monitor logs and use systemd with logrotate to rotate logs.

For environments that require the lowest latency (traders/gamers), use close locations or split-tunneling to route only the services you need to maintain ping and stability.

Fix common errors

• Connection not established: Check the port and protocol in the firewall (ufw/iptables/security group).
• DNS is not working: from update-resolv-conf Or manual adjustment /etc/resolv.conf Use.
• Routes are not added: Make sure script-security 2 It is enabled and the scripts are executable.
• After internet connection dropped: The server probably pushed the default route; use bypass or route-nopull methods.

Comparison of applications and tips for different types of users

• Traders: Need for ping and stability; use close locations and, if possible, split-tunnel only to connect to the trading server.
• Gamers: Game traffic should usually take the shortest route; full-tunnel can increase ping, so route only the game server or use a nearby server.
• Site Administrators/DevOps: It is recommended to run the OpenVPN client on servers with systemd and use policy-based routing for specific services.
• AI/Rendering: For large data transfers, full-tunnel and high-bandwidth servers are more suitable.

Summary and Conclusion

To run the OpenVPN client on Linux, you usually need the file .ovpn In addition auth-user-pass And if needed route-nopull This is sufficient for split-tunnel. To bypass some IPs during full-tunnel, save the previous gateway and add appropriate routes. For more complex behavior, use policy-based routing.